Bug#962522: libkadm5srv-mit11: krb5 admin programs are unable to find master key stash

Tue, 09 Jun 2020 02:55:09 -0700 

Package: libkadm5srv-mit11
Version: 1.17-9
Severity: important

Upgrade to 1.17-9 broke my Kerberos configuration.  At first I got an error
about missing database (see #962519).  Downgrading all packages with krb5 in
their name back to 1.17-7 allowed me to start the KDC again, restoring user
logins, but the admin server and other administrative programs started giving
a different error:

Jun  9 11:05:51 capybara kadmind[28039]: Can not fetch master key (error: No 
such file or directory). while initializing, aborting

After puttering about for a while I finally discovered that there were two
other library packages from the krb5 source package, this one and the clnt
variant.  Downgrading those allowed the admin server to start as well.

It seems that something in either 1.17-8 or 1.17-9 completely broke
configuration handling.  In strace of the broken version I can see that it
first opens and reads the correct configuration file in /etc, but then tries
to stat /var/krb5kdc/kdc.conf and discovers it does not exist:

stat("/etc/krb5kdc/kdc.conf", {st_mode=S_IFREG|0644, st_size=849, ...}) = 0
openat(AT_FDCWD, "/etc/krb5kdc/kdc.conf", O_RDONLY) = 3
read(3, "[libdefaults]\n\tdefault_realm = T"..., 4096) = 245
close(3)                          = 0
stat("/var/krb5kdc/kdc.conf", 0x7fff1257d200) = -1 ENOENT (No such file or 
directory)

It then goes on to trying to open the master key stash at the default location
and reports the error when that does not exist:

openat(AT_FDCWD, "/var/krb5kdc/.k5.MY.REALM", O_RDONLY) = -1 ENOENT (No such 
file or directory)
write(2, "kadmind: Can not fetch master ke"..., 99) = 99

The working version uses /etc/krb5kdc/kdc.conf throughout and finds the
correct master key stash.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.35-core2-server (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Reply via email to